Laptops and mobile devices that access the corporate network behind the perimeter firewall have IT staffs scrambling to combat malicious threats introduced in a way that evades perimeter security measures. As the network perimeter dissolves, IT administrators must find solutions that provide granular access controls and capable zero-day worm defenses that are appropriate and manageable for wired and wireless clients.
The number of products that attempt to address this problem is increasing dramatically, bringing access controls, inline application filtering and host quarantine capabilities to the forefront. However, each product seems to plant a stake in the ground, focusing on either wired or wireless deployments. When evaluating any solution, administrators must stay mindful of their needs for both.
In the past few months, eWEEK Labs has evaluated new solutions from emerging companies such as CyberGatekeeper LAN from InfoExpress Inc. and Identity Platform from Trusted Networks Technologies Inc. These products segment the wired internal network with a combination of gateway hardware and client software that provides worm defense or user-specific access controls to critical resources. In addition, established companies such as Cisco Systems Inc., with its Self-Defending Network initiative, are targeting this space.
There are advantages and disadvantages to the use of client applications to enable host security. Client-side software provides a much deeper scan of the client host for vulnerabilities, missing applications or malware and can enable unique identification properties or encryption capabilities in network traffic down to the packet level.
However, the deployment of client applications—not only to laptops but also to every users desktop computer—is a daunting administrative task. Add mobile devices to the mix (assuming there is mobile-compatible software at all), and the administrative burden is nigh insurmountable.
There are a number of clientless solutions on the market today, several of which are infrastructure products positioned as wireless solutions. For a few years, security gateway vendors such as BlueSocket Inc., ReefEdge Inc. and Vernier Networks Inc. have been delivering products that provide authentication services, time- and user-specific access to back-end resources, and IP Security encryption endpoints within the internal network.
During the past year, both Bluesocket and Vernier Networks also layered on virus and worm defenses, based on threat-specific filters or on rate-based detection capabilities. Although these features need to be enhanced with stronger signature-based recognition and detection engines, the products potential for deployment in conjunction with wired clients is compelling.
Security gateway vendor Perfigo Inc. recognized the burgeoning need to protect wired and wireless clients and shifted its development and marketing strategies appropriately. Where Perfigos early-generation SecureSmart products focused on securing and managing wireless infrastructure, this years addition of the companys CleanMachines vulnerability assessment and quarantine capabilities is vital and appropriate for wired clients as well.
The Perfigo solution can work both ways, providing the option to use clientless, network-based vulnerability scans or deeper client-based registry scans via its SmartEnforcer technology. Perfigos change of emphasis is a welcome development that properly reflects the needs of enterprise customers to mitigate attacks no matter what the connection. Wed like to see the other security gateway vendors follow suit.
When we spoke to BlueSocket and ReefEdge representatives about their offerings efficacy for wired and wireless products, both parties said some customers use the solutions for computers with wired network access—college dormitories and corporate meeting rooms are common scenarios. However, both companies have for now chosen to stay on message, promoting the increased security and mobility their products bring to wireless networks.
Nonetheless, the wireless gateway vendors have a proven track record. Their product lines reflect the lessons learned from actual deployments, with improved access controls, security scans and throughput capabilities—all features that are necessary when considering the wired network as well.
Wireless administrators have likely investigated these products to protect their WLANs (wireless LANs), and network IT staffs may find that these solutions fill the bill to protect wired networks as well.
Technical Analyst Andrew Garcia can be reached at [email protected]